diff --git a/.github/workflows/codemod-report.yml b/.github/workflows/codemod-report.yml
index 96a44c8..e84928c 100644
--- a/.github/workflows/codemod-report.yml
+++ b/.github/workflows/codemod-report.yml
@@ -55,6 +55,7 @@ jobs:
         if: github.event.pull_request.head.repo.fork == false
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
+          github-token: ${{ secrets.RELEASES_TOKEN }}
           script: |
             const fs = require('fs');
             const summary = fs.readFileSync('/tmp/codemod-summary.md', 'utf8');
diff --git a/internal/drivers/firewall.go b/internal/drivers/firewall.go
index 8cadb91..ddd1235 100644
--- a/internal/drivers/firewall.go
+++ b/internal/drivers/firewall.go
@@ -125,7 +125,7 @@ func (d *FirewallDriver) Update(ctx context.Context, ref interfaces.ResourceRef,
 	if err != nil {
 		return nil, fmt.Errorf("firewall update %q: %w", ref.Name, err)
 	}
-	if err := validateFirewallTargets(spec.Name, req); err != nil {
+	if err := validateFirewallTargets(ref.Name, req); err != nil {
 		return nil, err
 	}
 	providerID, err := d.resolveProviderID(ctx, ref)
diff --git a/internal/drivers/firewall_test.go b/internal/drivers/firewall_test.go
index cbdc5d2..719705b 100644
--- a/internal/drivers/firewall_test.go
+++ b/internal/drivers/firewall_test.go
@@ -498,6 +498,31 @@ func TestFirewallDriver_Update_NoTargets_Errors(t *testing.T) {
 	}
 }
 
+// TestFirewallDriver_Update_NoTargets_RefNameInError is a regression test for
+// the case where ref.Name and spec.Name diverge. The no-targets error must
+// reference ref.Name (the authoritative identity), not spec.Name.
+func TestFirewallDriver_Update_NoTargets_RefNameInError(t *testing.T) {
+	mock := &mockFirewallClient{fw: testFirewall()}
+	d := drivers.NewFirewallDriverWithClient(mock)
+
+	_, err := d.Update(context.Background(), interfaces.ResourceRef{
+		Name: "ref-name", ProviderID: "f8b6200c-3bba-48a7-8bf1-7a3e3a885eb5",
+	}, interfaces.ResourceSpec{
+		Name:   "spec-name", // intentionally different from ref.Name
+		Config: map[string]any{},
+	})
+	if err == nil {
+		t.Fatal("expected error for empty targets, got nil")
+	}
+	want := fmt.Sprintf(drivers.NoTargetsErrFmt, "ref-name")
+	if got := err.Error(); got != want {
+		t.Errorf("error uses wrong name:\n got: %q\nwant: %q", got, want)
+	}
+	if mock.lastReq != nil {
+		t.Error("FirewallRequest reached godo client despite empty-targets validation")
+	}
+}
+
 // TestFirewallDriver_Create_DropletIDs_AcceptsMixedNumeric verifies the
 // helper accepts the YAML-decoded numeric variants (int, int64, float64) the
 // modular YAML loader can produce.